b'Report No. 13-36                                                                                                               September 27, 2013\n                                        Appalachian Regional Commission\n                                                          Evaluation Report\n\n\n                                                         Table of Contents\n\n     Results of Evaluation .................................................................................... 1\n\n     Problem Areas ............................................................................................... 2\n        Problem Area 1: The Commission\xe2\x80\x99s system did not fully measure patching status...... 2\n\n        Problem Area 2: The Commission\xe2\x80\x99s automated process did not fully patch all systems.\n        ........................................................................................................................................ 3\n\n     Management Comments and Our Analysis ............................................... 4\n     Objective, Scope and Methodology ............................................................. 4\n\n\n\n\n                                                                        -i-\n\x0c                       Appalachian Regional Commission\n                                   Evaluation Report\n\n\n                              Results of Evaluation\nThe purpose of this evaluation was to answer the question:\n\n       Has the ARC implemented an effective, comprehensive system maintaining patch\n       levels?\n\nNo. While the ARC did have a process in place to apply patches, the existing process was\nnot fully effective.\n\nThe process for patching ARC systems is ineffective and exposes the Commission\xe2\x80\x99s\ninformation and systems to significant risk. On June 28, 2013 we reviewed the patch\nstatus of 45 machines and found that:\n\n   \xe2\x80\xa2   All but five systems were missing High or Critical Severity patches\xef\xa3\xa7a High\n       Severity patch is a software change designed to prevent intruders from being able\n       to run code of their choice on the network or elevating their privileges to take\n       control of Commission systems.\n   \xe2\x80\xa2   1258 High or Critical Severity patches were missing on Commission systems.\n   \xe2\x80\xa2   An average of 28 High or Critical Severity patches were missing from each\n       system.\n   \xe2\x80\xa2   18 systems (40%) were missing patches that had been released one year ago or\n       prior.\n   \xe2\x80\xa2   An average of 19 High or Critical severity patches for third-party (non-Microsoft)\n       software were missing from each system.\n\nWhen software vendors identify problems with their applications or operating systems,\nthey create and release updates to the software to resolves these issues. These updates are\nknown as \xe2\x80\x98patches.\xe2\x80\x99 These patches are made available to the public, who install these\npatches to rectify the problems they are intended to solve.\n\nThe majority of patches released today are designed to correct previously-identified\nsecurity flaws. Systems without these patches are vulnerable to these exploits, which\ncould result in an intrusion by malicious individuals. Vulnerabilities defined as High or\nCritical severity identify those with the highest risk to the systems in question. Once a\npatch is released, the risk increases for unpatched systems, because it has been publically\nannounced that a flaw is present, and the software patch can be analyzed to precisely\nidentify the nature of the security flaw. Malicious parties use this information to create\nnew exploits if they aren\xe2\x80\x99t available already.\n\nIn order to manage and reduce the risk to the organization, those responsible for\nmanaging its systems must continually track the patched status of those systems, and\ndeploy patches as soon as they are made available. If systems are allowed to remain\n\n\n                                           -1-\n\x0c                        Appalachian Regional Commission\n                                   Evaluation Report\n\n\nunpatched, the ease with which they can be attacked can nullify all other security\nmeasures in place at the organization. Patching systems is a primary means of securing\nsystems, and despite potential assertions to the contrary, there are no effective substitutes\nfor this basic security measure. Every unpatched system that connects to the Internet\nincreases the risk to the organization.\n\nThe patching process for ARC systems was ineffective because the Commission did not\nmeasure its patch status, and it did not have an automated process to fully patch all\nsystems. These problem areas will be discussed in detail in the rest of this report.\n\n\n\n                                   Problem Areas\n\n                                 Problem Area 1:\n           The Commission\xe2\x80\x99s system did not fully measure patching status.\n\n\nThe Commission did not measure the patching status of its systems. This lack of\nmonitoring was partially responsible for the fact that systems were not patched. Our\nanalysis of 45 workstations determined that High or Critical severity patches were\nmissing from 40, or 89% of all systems tested. On average, each system was missing 28\nHigh or Critical severity patches.\n\nEffective management is only possible with consistent measurement. Because the\nCommission did not monitor the patch status of its systems, it could not manage the\npatching process, or by extension, the security of its network.\n\nSystems with missing patches expose more than just a single computer to risk, but instead\nthey expose all data and systems on the network to risk. An exploited system serves as\nthe entry point into the network for an attacker. Once a foothold is gained, attackers can\nexplore and potentially exploit all systems on that network. One weak link effectively\ncircumvents the other security applied to the network perimeter or the application itself.\n\nIn order to execute the mission of the Commission, senior management must remain\ninformed of risks to their underlying systems. Because they were not regularly informed\nwith an accurate picture of the Commission\xe2\x80\x99s information security status, they were not\naware of the risks to the confidentiality, integrity, and availability of Commission data\nand systems.\n\n\n\n\n                                            -2-\n\x0c                       Appalachian Regional Commission\n                                  Evaluation Report\n\n\nRecommendation 1: Implement a specialized software tool to scan the patch status of all\nCommission equipment at least weekly. This tool should be distinct from the tool used to\npatch systems.\n\nRecommendation 2: Report patching status monthly to Commission executive\nmanagement.\n\n\n\n\n                               Problem Area 2:\n        The Commission\xe2\x80\x99s automated process did not fully patch all systems.\n\n\nAs of June 28, 2013, the Commission was missing 1258 High or Critical patches on its\nsystems. Due to the sheer number of patches released and the labor required to manually\napply them, it is impossible to rely on manual processes to apply patches in a timely\nmanner, and any process that is unable to automatically patch third-party software in\ninsufficient to protect the Commission\xe2\x80\x99s data. While Microsoft provides robust, free\ntools to apply patches to its own software, on its own this software is unable to provide\nautomated patching for third-party software. Third-party software includes common\nitems such as Mozilla Firefox, Adobe Acrobat, and Oracle Java. Of the 45 systems\nanalyzed, 40 were missing High or Critical patches for third-party software. On average,\neach system was missing 19 patches for third-party software. Attacks of vulnerable third-\nparty software are one of the primary vectors of intrusion.\n\nHigh or Critical severity patches for all software should be applied Commission-wide\nwithin days of release by their manufacturer. To achieve the best protection, these\npatches should be installed for most systems on the same day a patch is released, because\nexploits are generated quickly from the information provided as part of the patch. Any\ndelay beyond the release date of a patch increases the risk exposure. For this reason,\nMicrosoft preconfigures Windows operating systems to download and install available\npatches every night.\n\nCommission staff should be protected from malicious content encountered while\nbrowsing the Internet or received via email. Unpatched systems are missing this basic\nlevel of protection, and greatly increase the risk of system-wide compromise. Even new\nbuilds of systems will be missing patches, and should be fully patched before being\nbrought online.\n\nThe Commission\xe2\x80\x99s current patching method demands significant resources because it is\nnot fully automated. Because it does not immediately apply all necessary High or\nCritical severity patches, the Commission is operating under a high level of risk. As a\n\n\n                                          -3-\n\x0c                       Appalachian Regional Commission\n                                  Evaluation Report\n\n\nresult, the Commission does not have the most basic level defense to secure its systems\nand its network. The current patching process does not effectively protect the\nCommission\xe2\x80\x99s information or systems.\n\nRecommendation 3: Implement a specialized software tool to automatically patch all\nCommission systems.\n\nRecommendation 4: Patch all vulnerable software on all systems.\n\nRecommendation 5: Apply all High or Critical severity patches on the day of release.\n\nRecommendation 6: Fully patch all new systems as part of the build process.\n\n\n\n              Management Comments and Our Analysis\nOn July 26th, 2013, management provided comments on the draft evaluation report. They\nconcurred with our assessment that there are two problem areas that resulted in the\nabsence of an effective, comprehensive system maintaining patch levels. They\nsubsequently provided management decisions that would address each of the six\nrecommendations.\n\nAt the time of the final report, the Commission had purchased and deployed new tools to\nimprove its ability to fully patch all of its systems in a timely fashion.\n\n\n\n                    Objective, Scope and Methodology\nObjective:\n       Has the ARC implemented an effective, comprehensive system maintaining patch\n       levels?\n\nScope:\n       The scope of this evaluation included all servers, workstations, and other network\n       equipment providing services and security on ARC network.\n\n\nMethodology:\n\n\n\n                                          -4-\n\x0c                       Appalachian Regional Commission\n                                  Evaluation Report\n\n\n1. Used Nessus with current definitions to perform an authenticated scan of all\n   infrastructure and endpoints related to the ARC network.\n2. Identified systems that could not be scanned due to technical or policy issues, and\n   identified a means of configuring these systems so they could be scanned.\n3. Analyze vulnerabilities to remove false positives, and classify findings to identify\n   trends and the causes of unpatched vulnerabilities.\n\n\n\n\n                                           -5-\n\x0c'